External risk intelligence

VegaBird Vooki DLL Hijacking Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-45874

This vulnerability is a DLL hijacking issue requiring a local attacker to place a malicious file in the application's installation directory. It is a client-side execution issue on a local system and lacks network-reachable or internet-facing characteristics in typical deployments.

Code Injection

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in VegaBird Vooki where an attacker could execute arbitrary code by placing a malicious file in the application's directory, potentially allowing for persistence on affected systems. The primary concern is to confirm if this specific software is in use and if any exposure exists, given the nature of the vulnerability.

  • Malicious file can run unauthorized code.
  • Assess relevance to our environment.
  • Confirm use and exposure of the software.

Attack Path

How an attacker could exploit the issue

An attacker could initiate an attack by placing a specially crafted DLL file in the same directory as the Vooki executable. When Vooki runs, it would load the malicious DLL instead of its legitimate one, potentially allowing the attacker to execute arbitrary code or establish a persistent presence on the system.

  • Entry condition: Attacker must place a malicious DLL.
  • Trigger point: Vooki executable loads crafted DLL.
  • Resulting risk: Arbitrary code execution and persistence.

Live Threat

Current exploitation, exposure, and threat context

A DLL hijacking vulnerability in VegaBird Vooki could allow an attacker to execute arbitrary code or maintain persistence on a system. This could occur when an attacker places a specially crafted DLL file in the same directory as the Vooki executable.

  • Application code execution.
  • Malicious DLL placed in same directory.
  • System compromise or persistence.

Operational Fix

Recommended remediation, mitigation, and detection steps

This DLL hijacking vulnerability requires local access to place a malicious DLL in the application's directory. Owners of the affected application should first locate all installations, confirm reachability and business criticality, and then engage the responsible team to plan remediation.

  • Application owners should own this issue.
  • Verify all Vooki installations and reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is VegaBird Vooki?

VegaBird Vooki is a software application that functions as a client-side tool. Users typically interact with it on their local workstations or personal computers to manage specific tasks defined by its feature set. Understanding its role on your local systems is the first step in assessing its presence across your environment.

What does CWE-94 mean for CVE-2024-45874?

CWE-94 refers to improper control of code generation or execution. In the context of this CVE, it means the application inadvertently trusts and executes external code—specifically a malicious DLL file—when it starts. Because the program fails to verify the integrity or origin of the files it loads during its launch process, it can be tricked into running unauthorized commands instead of its own intended functions.

How is this DLL hijacking triggered?

An attacker triggers this by placing a specially crafted DLL file directly into the folder where Vooki.exe resides. The vulnerability relies on the application's search path logic; when Vooki starts, it loads the malicious file instead of the legitimate one. This process does not trigger if the attacker cannot gain the specific access required to modify the application's local installation directory.

Is CVE-2024-45874 an internet-facing risk?

According to Halo Surface Signal, this is very unlikely to be an internet-facing threat. Because the flaw requires an attacker to place a malicious file directly into a local folder on the system, it is fundamentally a client-side execution issue. It lacks the network-reachable characteristics commonly associated with remote attacks, making it a concern primarily for systems where local access is already compromised.

What should I do if I have Vooki installed?

If your organization uses this software, begin by identifying which systems have it installed. Confirm the importance of these installations to your business operations. Once identified, consult your internal teams to manage the risk, as this issue requires local file system access to exploit. Focus on restricting folder permissions to prevent unauthorized users from placing files in the application directory.

References